Platform
java
Component
keycloak
Fixed in
26.2.15
26.2.15
26.4.14
CVE-2026-4325 is a security vulnerability discovered in Keycloak related to the SingleUseObjectProvider, a global key-value store. Due to a lack of proper type and namespace isolation, an attacker can delete arbitrary single-use entries, potentially leading to the replay of consumed action tokens like password reset links and subsequent unauthorized access or account compromise. This vulnerability impacts Keycloak versions 26.2.15 and above, and a fix is expected in a future release.
A security vulnerability has been identified in Keycloak (Red Hat Build version 26.2) with the CVE ID CVE-2026-4325. This flaw resides within the SingleUseObjectProvider, a global key-value store. The lack of proper type and namespace isolation allows an attacker to delete arbitrary single-use entries. This can enable the replay of consumed action tokens, such as password reset links. The potential impact is significant, potentially leading to unauthorized access or account compromise. The CVSS score is 5.3, indicating a moderate risk. It is crucial for system administrators to update Keycloak to a patched version as soon as possible to mitigate this risk.
An attacker with access to Keycloak, either through a vulnerability in another part of the system or compromised credentials, could exploit this vulnerability. The attacker could manipulate the SingleUseObjectProvider to delete already-used password reset tokens. They could then reuse these tokens to reset user account passwords, gaining unauthorized access. Exploitation does not require elevated privileges on the underlying operating system, but does require access to the Keycloak environment. The complexity of exploitation depends on the Keycloak configuration and existing security measures. The lack of type and namespace isolation facilitates manipulation of the single-use object store.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update to a version of Keycloak that includes the fix for CVE-2026-4325. Red Hat is working on a patch and it is expected to be available shortly. In the meantime, as a temporary mitigation, review and restrict access permissions to the SingleUseObjectProvider. Additionally, monitor Keycloak logs for suspicious activity, such as unusual entry deletions or attempts to replay tokens. Users are advised to implement multi-factor authentication (MFA) to add an extra layer of security, even if the vulnerability is exploited. Maintaining software updates and following security best practices are essential for protecting your Keycloak environment.
Actualice Keycloak a la versión 26.2.15 o superior, o a la versión 26.4.14 o superior. Esta actualización corrige una vulnerabilidad que permite a un atacante eliminar entradas de uso único, lo que podría permitir la repetición de tokens de acción consumidos, como los enlaces de restablecimiento de contraseña, lo que podría conducir a un acceso no autorizado o al compromiso de la cuenta.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Keycloak component that temporarily stores single-use data, like password reset tokens.
It could allow attackers to reset user passwords without their consent, compromising their accounts.
Restricting access to the SingleUseObjectProvider and enabling multi-factor authentication (MFA) are temporary measures.
Red Hat is working on a patch and it is expected to be available shortly. Check official Red Hat sources for updates.
Change your password immediately and contact your Keycloak administrator to investigate the incident.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.